Vendors should be reassessed for security posture and controls at least annually and whenever a contract is to be renewed. Security controls and policies should be reviewed and, if appropriate, a penetration test should be conducted, or the results of an independent penetration test provided.
Reassessing a vendor regularly assures that your organization knows the current risk level associated with each vendor. Their risk level affects your organization since you may share data, information, or trade secrets with them.
They expect a vendor or acquisition policy that reassesses the security posture and controls at least annually and whenever a contract is to be renewed. The requirement to submit to these reassessments should be included in all contracts and agreements.